|Detected||Dec 03 2007 23:17 GMT|
|Released||Dec 03 2007 23:17 GMT|
|Published||Aug 07 2008 13:48 GMT|
This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 38400 bytes in size. It is written in C++.
Once launched, the Trojan copies its body to the Windows system directory as "Ir32_a.exe":
It then deletes its original file.
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:
The Trojan sends a request to the remote malicious user's site:
It receives in reply a file containing links from which other objects will be downloaded. The file will be saved to the C: root directory: as "tmp.dat":
Files which are downloaded from the links contained in the file are saved to the Temporary Internet Files directory under their original names. Once they have been downloaded they are launched for execution.
At the moment of writing, the link was not active.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.